Maintaining Data Privacy with Ashish Kirtikar

WITH ASHISH KIRTIKAR
MAINTAINING DATA PRIVACY
THE MULTICERT WAY
YOUR IT COMPLIANCE PARTNER
GO BEYOND THE CHECKLIST

2
© ControlCase. All Rights Reserved.
ASHISH KIRTIKAR
President, UK
ControlCase
Ashish is responsible for handling the HITRUST and CSP verticals and ensures efficient and quality
delivery of services to clients in the Healthcare sector and beyond. In addition, he is also
responsible for sales and execution of business for the Europe and UK regions.
Ashish has over 13 years of experience and proficiency in Information and Network Security,
Information Risk Management, Cyber Security, Resilience, Security Architecture Designing,
Information Security Audit and Governance having handled clients across the globe. He has
handled the entire gamut of project management functions related to Cyber Security/Information
Security Operations across Banking, Financial, Insurance, Telecom, and IT Services and Industries.
Ashish has functioned as a speaker and trainer on various Information Security Topics globally and
writes online articles/blogs covering topics of Information Security and Leadership. He has a
Bachelor’s Degree in Computer Science from Mumbai University and has completed a
management program from the Indian School of Business and National University of Singapore.
Our Speaker

ControlCase. All Rights Reserved. 3
Agenda
ControlCase
Introduction
Data Protection
by Design
The Multi-cert Way
to Data Protection
01 02 03
Multi-cert
Common
Challenges
One Audit
Assess Once,
Comply to Many
04 05

ControlCase
Introduction

ControlCase Snapshot
© ControlCase. All Rights Reserved. 5
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified.
Demonstrate
compliance more
efficiently and cost
effectively (cost
certainty)
Free up your internal
resources to focus on
other priorities
Offload much of the
compliance burden to a
trusted compliance
partner
Improve efficiencies
by doing more with
less resources and gain
compliance peace of
mind
1,000+
CLIENTS
10,000+
IT SECURITY
CERTIFICATIONS
275+
SECURITY
EXPERTS

ControlCase Snapshot – Solution
Partnership
Approach
Automation
Compliance
HUB
IT Certification
Services
Continuous
Compliance
Services
Certification and Continuous Compliance Services

Certification Services
One Audit
Assess Once. Comply to Many.
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HIPAA
CMMC PCI P2PE GDPR NIST 800-53
PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF

DATA PROTECTION
BY DESIGN

DATA IS THE NEW OIL
What is Data Protection by Design?

Three Key Areas of Focus
DATA PROTECTION
=
PRIVACY
DATA PROTECTION
=
SECURITY
DATA PROTECTION
=
PRIVACY
+
SECURITY

What is Data Protection by Design?
Data protection by design is an approach that
ensures data protection
requirements are considered at the design
phase of any system,
service, product or process and then
throughout the lifecycle.
ICO UK has recommended this approach to be
considered for effective GDPR implementation.
This approach helps in having a proactive outlook
towards data protection instead of a reactive one.
This helps strategize whether a detective, preventive or
deterrent control needs to be implemented for
overall security / protection as well as effective business
operability for any system, service, product or process.

THE MULTI-CERT WAY
TO DATA PROTECTION

Why Multi-cert?
In today’s world multiple certifications/regulations have
been enforced for the security and privacy of data.
Some cover specific datasets, overall security posture,
or they may be specific to privacy requirements.
A multi-cert approach acts like a
tongue and groove joint, where
controls which are not covered in one
certification are covered in other thus
giving a wholistic implementation.
This assists in organization’s achieve an effective
implementation of ‘Defense in Depth’,
methodology which can provide deep Data Protection.

Multi-cert Way
Payment Card Industry
Data Security Standard
(PCI DSS)
Established by leading
payment cardzz issuers –
Guidelines for securely
processing, storing, or
transmitting payment card
account data.
GDPR
General Data Protection
Regulation is a regulation
in EU / UK law on data
protection andz privacy in
the UK / European Union
and the European
Economic Area. It was
adopted in 2016 and
enforceable since 2018.
ISO 27001/ISO 27002
- ISO 27001
The management
framework for
implementing
information security
within an organization.
ISO 27002 are the
detailed controls from
an implementation
perspective.
SOC 2
Created by the American
Institute of Certified Public
Accountants (AICPA) to fill the
gap for organizations that
were being requested to have
a SAS 70 (now SSAE 18).
The purpose of a SOC 2
report is to evaluate an
organization’s information
systems relevant to Security,
Availability, Processing
Integrity, Confidentiality or
Privacy.
For Example: consider the following certifications, which are seen in the UK / Europe region

Multi-Cert Way – Data Protection by Design
The multi-cert approach provides an
integrated way of compliance and
data protection implementation by
covering the multiple aspects to the
right.
All the regulations mentioned in the
earlier slide, have a very important
parameter which talks of security /
privacy as a part of the organizational
lifecycle.
This when implemented in an
integrated manner helps achieve Data
Protection by Design.
Compliance Management Policy Management
Vendor / Third Party Management Asset and Vulnerability Management
Logging and Monitoring Change Management
Incident and Problem Management Data Management
Risk Management Business Continuity Management
HR Management Physical Security
Compliance Project Management

INDUSTRY REGULATION
Business Process Organizations (BPOs) GDPR, PCI DSS, SOC2, ISO 27001, Cyber Essentials (UK)
Payments GDPR, PCI DSS, SOC2, ISO 27001, Cyber Essentials (UK)
Financial Services GDPR, PCI DSS, PSD-2, ISO 27001, Cyber Essentials (UK)
Critical Infrastructure GDPR, NIS-1 / NIS-2, ISO27001, Cyber Essentials plus (UK)
Common Regulations by Region / Industry

MULTI-CERT COMMON
CHALLENGES

Multi-cert Common Challenges
ControlCase. All Rights Reserved. 18
Redundant Efforts Cost Inefficiencies
Lack of Compliance
Dashboard
Fixing of Dispositions
Change in Environment Reliance on Third Parties
Increased Regulations
Reducing Budgets (Do
more with less)

ONE AUDIT
ASSESS ONCE,
COMPLY TO MANY

ControlCase Solution – One Audit
One Audit
Assess Once. Comply to Many.
? No. Topic Question ControlCase
Integrated
Standard
PCI DSS
3.2.1
ISO
27001
HIPAA SOC2
4 Scoping
Provide your asset list, a list of the software, databases, data storage locations, Sample Sets and other related data
elements.
CC4 X X X X
28
Data
Encryption
at rest
Provide the following for all filesystems, databases and any backup media:
• Details on the method (encryption, hashing, truncation, tokenization) being used to protect covered information in
storage
• Evidence (screenshots or settings) showing covered information is protected. For encryption method, please
share the evidence of it's associated key management.
• Documented description of the cryptographic architecture that includes:
1. Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength
and expiry date
2. The function of each key used in the cryptographic architecture.
3. Inventory of any HSMs and other secure cryptographic devices (SCD) used for key management (to be
provided in inventory
as part of Q4).
CC37 X X X X
44
Logical
Access
Provide the organizational access control policy. CC63 X X X X
50
Logical
Access
For all assets identified in the sample provide evidence of logical access account and password features to include:
CC69 X X X X
67
Logging
and
Monitoring
For the sample, provide the audit log policy settings. CC95 X X X 67
77
Security
Testing
Provide external penetration test reports for network and application layer. CC115 X X X 77

Compliance Evidence Overlap
Regulation(s) Completed Other Regulation status based on questions overlap
PCI SOC 2 ISO 27001 HIPAA
100% Complete 49.1% (84) Complete 67% (77) Complete 76.1% (54) Complete
50.9% (87) No Evidence Uploaded 33% (38) No Evidence Uploaded 23.9% (17) No Evidence Uploaded

Assisted by Automation
ACE
• Automated Compliance Engine
• Can collect evidence such as configurations remotely
CDD
• Data Discovery Solution
• Can scan end user workstations for card data
1 2

Compliance & Certification Time Savings
1,600 HRS. EVIDENCE COLLECTION* 600 HRS. CERTIFICATION SUPPORT*
350 HRS.
EVIDENCE
COLLECTION*
600 HRS. CERTIFICATION
SUPPORT*
2,200 hrs. total time
spent on compliance &
certification using
another auditor*
950 hrs. total time spent
on compliance &
certification by partnering
with ControlCase*
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, HIPAA).

Three Key Areas of Focus
CONTINUOUS
An effective compliance program for
cyber security must provide a stream
of continuous, accurate information
about posture.
AUTOMATED
Continuous compliance requires an
automated platform that collects and
processes data in as close to real-time as
can be achieved.
INTEGRATED
The best compliance programs are
integrated into the systems being
measured, versus built as after-the-
fact overlays.

Summary – Why ControlCase
“They provide excellent service, expertise and technology. And, the visibility into my compliance
throughout the year and during the audit process provide a lot of value to us.”
— Dir. of Compliance,
SaaS company
Partnership
Approach
Automation
Compliance
HUB
Continuous
Compliance
Services

QUESTIONS &
ANSWERS

THANK YOU FOR THE
OPPORTUNITY TO
CONTRIBUTE TO YOUR IT
COMPLIANCE PROGRAM.
www.controlcase.com
(US) + 1 703.483.6383 (INDIA) + 91.22.62210800
contact@controlcase.com

Maintaining Data Privacy with Ashish Kirtikar

Recommended

Recommended

More Related Content

Similar to Maintaining Data Privacy with Ashish Kirtikar

Similar to Maintaining Data Privacy with Ashish Kirtikar (20)

More from ControlCase

More from ControlCase (20)

Recently uploaded

Recently uploaded (20)

Maintaining Data Privacy with Ashish Kirtikar